Setup

Irate Manticore

Installation Steps

Since it’s not feasible to redistribute Microsoft Windows, you will need to
provide and setup a Windows XP SP2 32bit image, and then install SandboxIE.

Do not download or install any updates for Windows.

Configure SandboxIE to restrict everything as much as possible. Create the
directory c:\hammertime, make the file c:\hammertime\token.txt. Configure
SandboxIE to forbid access to that directory for restricted processes. Once
SandboxIE is configured, start up a sandboxed Internet Explorer.

You can test if Internet Explorer is appropriately restricted by trying to
access file://c:/hammertime/token.txt, it should prevent access to that file.

The desktop picture should be created (via MS Paint), and stored in
c:\windows\system32, and set as the background picture. There should be some
obvious information stored there, such as a token, and this image.

The desktop picture should also have a rough diagram of the network with the
FreeBSD server’s machine.

Create a file called “auth details.txt” with the contents of “admin /
Sizzlechest”. Put that file in the recycling bin.

During the Ruxcon CTF, the admin / Sizzlechest was obtained by visiting a
physical location. Hard to replicate that online though :-)

Configure Network

The network layout for Irate Manticore should look like the following:

The network for irate-manticore and glowing-marsupial should be set up so that
all traffic from them is NAT’d, and that no external network traffic is able to
reach it. Due to the variety of virtual machine software and operating system
combinations possible, more specific instructions are not provided.

Running

You may wish to save the machine state now, so that you can go back to a
pristine image as required. Ensure that Internet Explorer is maximized, along
with another application (such as notepad). In Internet Explorer, navigate to
your chosen URL.

During the Ruxcon 2012 CTF, this part of the code was automated by polling the
main CTF website and gettig the target URL from it.

Glowing Marsupial

Install a FreeBSD 8.2 x86 system, and enable the telnet service by uncommenting
a line in /etc/inetd.conf, and restarting inetd. You may wish to install socat
as well to make the attackers job a bit easier.

The aim behind Irate Manticore and Glowing Marsupial is to demonstrate network
pivoting by first completing a client side attack, using the client side’d
machine to attack the FreeBSD system, and then finally using the FreeBSD system
to exploit the original machine to bypass SandboxIE.

Touchy Owl

Touchy Owl is distributed as a bootable cd-rom image, therefore, no special
setup instructions are required.